Chrome (stable) --safe-plugins flag

Discussion in 'all things UNIX' started by Ocky, Oct 9, 2010.

Thread Status:
Not open for further replies.
  1. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Don't do much with Chrome but what about the --safe-plugins switch - would there be any negatives adding it to the target command (/opt/google/chrome/google-chrome --safe-plugins %U) such as problems with flash etc.
    Will it help sandboxing the plugins as there is no root access anyway ?

    (Question posed by rank amateur)
     
  2. Eice

    Eice Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    1,413
    In the past, sandboxing plugins would cause problems; e.g. you wouldn't be able to upload photos to Imageshack, because the Flash plugin can't touch your files. I've kept it disabled all this while, so I'm not really sure if these problems still exist.

    And yes, sandboxing the plugins help. You don't need root access to trash your personal data inside your home folder.
     
  3. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Thanks Eice. :cool:
     
  4. katio

    katio Guest

    Run the browser as a separate user, problem solved. Without a browser exploit+privilege escalation one can't do anything to the rest of the system.
    But I'm not suggesting you shouldn't use the sandboxing if available...
     
  5. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    One user can,t manipulate the other user?
     
  6. katio

    katio Guest

    Yes, but it depends on the file permissions. Ubuntu for example is gives read only permission to other user by default, others are more strict and deny all access.
     
  7. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    How to do that? Command?

    Thanks
     
  8. katio

    katio Guest

    This tutorial gives you a basic idea, it's quite old so not everything might apply today (not tested just quickly skimmed!)
    http://groups.google.nl/group/alt.os.linux.slackware/msg/ee6ddf2b4f6c1828

    I rely on Apparmor instead, security is I think very similar (in terms of securing /home) but it allows me to lock down a program even more (disallow perl, python and write perm to tmp for example which are scriptkiddie's best friends) and simply a lot more flexible.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks. I wish to try AppArmor but it,s way over my head.
     
  10. katio

    katio Guest

    Your sig says you use Ubuntu. It already comes with a profile for Firefox, all you have to do is to enter "sudo aa-enforce /etc/apparmor.d/usr.bin.firefox" (no quotes) into a terminal and you'll get a sound and tested, albeit a bit too permissive protection for Firefox. For other apps you could make a new thread here* or on ubuntuforums* and someone can write a profile for you, then drop the script into /etc/apparmor.d and run above command with the appropriate path.
    You can also easily and more or less automatically generate your own profiles using the command "sudo aa-genprof application-name" but that requires some basic understanding of the Apparmor, see "man apparmor.d".

    * see https://www.wilderssecurity.com/showthread.php?t=272658 and
    http://ubuntuforums.org/showthread.php?t=1008911
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks Katio.

    I will try when I have spare time. My main browser is chromium. May be they will add a profile for it when FF is going to be replaced with chromium as default.
     
  12. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    BTW there was a way to know whether the plugins are sandboxed or not? Some one mentioned here.I forgot it now.

    Basically a site with uploading via flash, that fails with safe plugins( sandboxed flash).
     
  13. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    BTW, what is the correct way to add flags (switches) ? Everyone seems to add them to the launcher properties shortcut, but according to the PPA's ;-
    o_O
     
  14. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    In Windows, default is a folder, not a file.
     
  15. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    In linux of course it's a file that can be edited to add switches ..

    # Default settings for chromium-browser. This file is sourced by /bin/sh from
    # /usr/bin/chromium-browser

    # Options to pass to chromium-browser
    CHROMIUM_FLAGS=""

    Just wondering why everyone seems to add them to the launcher properties when doing it like that is not recommended.
    (* To pass flags to Chromium, please don't tweak the launcher, but edit /etc/chromium-browser/default instead).
     
  16. tlu

    tlu Guest

    Well, there is one - just look in /etc/apparmor.d. There should be a profile called usr.bin.chromium-browser (alt least if you installed it from the ppa).

    Enable it with

    sudo aa-enforce /etc/apparmor.d/usr.bin.chromium-browser
     
  17. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Ocky, is it possible that updates may replace the launcher but leave the default file unaffected. So it would be in the user's interest not to change the launcher because alterations made there would be lost in the next update?

    Incidentally, the Windows version has a file called preferences (in the default folder) which can be opened with a text editor but I don't know what will happen if it is fiddled with! It stores the various choices we make via the UI and information about extensions, themes and plug-ins.
     
  18. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    vasa1, the updates (eg. from 6xx to 7xx) don't touch the launcher commands, so there must be some other reason.
    (In Linux the user settings you referred to are stored in ~/.config/chromium in a folder called Default.)
     
  19. katio

    katio Guest

  20. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    The issue is why people seem to prefer using the "launcher" route for switches in *nix.

    The issue that switches are a temporary phenomenon and could vanish or not be supported is known.

    On the other hand, when Windows users have been arguing for having an interface to set a different proxy server such as FF has instead of relying on the IE interface, the official response is a won't fix since a switch is available!

    Source

    ********​

    This site has an updated list of switches presented quite nicely:
    http://peter.sh/experiments/chromium-command-line-switches/
     
  21. katio

    katio Guest

    Google and itt was talking about "the" launcher. But you can simple create new "shortcuts" (as they are called in Windows) or aliases, .desktop launchers, shellscripts what ever in other OSs. I don't see any problem with that. If you created them, they won't be changed by the system.
    The only problem would be if they change, rename or remove some switches with an update. But I don't think that's happening very often and you'd soon realise it and can easily fix it.
     
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Can any one tell me I should use

    --safe-plugins %U

    or

    --safe-plugins


    Thanks
     
  23. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    OK, thanks katio.

    The first one (see first post).
     
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks. So in linux it,s different from windows?
     
Loading...
Thread Status:
Not open for further replies.